Craig Chamberlain
92633ed51a
* Create ml_linux_anomalous_compiler_activity.toml rule to accompany the rare compiler activity job * Update ml_linux_anomalous_compiler_activity.toml added fp field * Update ml_linux_anomalous_compiler_activity.toml * Update ml_linux_anomalous_compiler_activity.toml * Update ml_linux_anomalous_compiler_activity.toml
32 lines
972 B
TOML
32 lines
972 B
TOML
[metadata]
|
|
creation_date = "2020/09/03"
|
|
ecs_version = ["1.6.0"]
|
|
maturity = "production"
|
|
updated_date = "2020/09/03"
|
|
|
|
[rule]
|
|
anomaly_threshold = 50
|
|
author = ["Elastic"]
|
|
description = """
|
|
Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc
|
|
software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run
|
|
exploits or malware activity.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Uncommon compiler activity can be due to an engineer running a local build on a prod or staging instance in the
|
|
course of troubleshooting or fixing a software issue.
|
|
""",
|
|
]
|
|
from = "now-45m"
|
|
interval = "15m"
|
|
license = "Elastic License"
|
|
machine_learning_job_id = "linux_rare_user_compiler"
|
|
name = "Anomalous Linux Compiler Activity"
|
|
risk_score = 21
|
|
rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530"
|
|
severity = "low"
|
|
tags = ["Elastic", "Linux", "ML"]
|
|
type = "machine_learning"
|
|
|